Microsoft Windows

This guide describes how to forward logs from a Microsoft Windows system to a designated Syslog endpoint. Since Windows does not natively support Syslog, this process involves using a third-party Syslog agent.

Prerequisites

• A Microsoft Windows server or workstation.
• Administrative access to the Windows system.
• The Syslog endpoint and port provided by the service (replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with the actual values).

Step 1: Choose and Install a Syslog Agent

Several third-party Syslog agents are compatible with Windows. Popular options include NXLog, SolarWinds Kiwi Syslog Server, and Datadog Agent. For this guide, we'll use NXLog as an example due to its flexibility and support for various log formats.

1. Download NXLog: Go to the NXLog website and download the Community Edition of NXLog for Windows.
2. Install NXLog: Run the installer on your Windows system and follow the installation prompts.

Step 2: Configure NXLog to Forward Windows Logs

1. Open the NXLog configuration file (nxlog.conf) located in the installation directory, typically C:\Program Files (x86)\nxlog\conf\.

2. Replace the content with the following configuration, adjusting paths as necessary. This configuration collects Application, System, and Security logs and forwards them to the specified Syslog endpoint:

   define ROOT C:\Program Files\nxlog
   Moduledir %ROOT%\modules
   CacheDir %ROOT%\data
   Pidfile %ROOT%\data\nxlog.pid
   SpoolDir %ROOT%\data
   LogFile %ROOT%\data\nxlog.log
   
   <Extension syslog>
       Module      xm_syslog
   </Extension>
   
   <Input in>
       Module      im_msvistalog
       Query       <QueryList>\
                       <Query Id="0">\
                           <Select Path="Application">*</Select>\
                           <Select Path="System">*</Select>\
                           <Select Path="Security">*</Select>\
                       </Query>\
                   </QueryList>
   </Input>
   
   <Output out>
       Module      om_udp
       Host        <SYSLOG_ENDPOINT>
       Port        <SYSLOG_PORT>
       Exec        to_syslog_bsd();
   </Output>
   
   <Route 1>
       Path        in => out
   </Route>
   

3. Replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with the Syslog server details provided by your service.

4. Save the nxlog.conf file and restart the NXLog service. You can restart the service from the Services management console (services.msc) or by running the following command in an elevated command prompt:

   net stop nxlog && net start nxlog
   

Step 3: Verify Log Forwarding

• After configuring and restarting NXLog, generate test events (e.g., by creating a new user account or starting a service) and verify with your service provider that the logs are being received at the Syslog endpoint.

Troubleshooting

• Check NXLog Status: Ensure the NXLog service is running without errors. Review the NXLog log file (nxlog.log) for any startup or forwarding issues.
• Firewall and Network: Verify that any firewalls between your Windows system and the Syslog endpoint allow traffic on the configured port.
• Configuration Errors: Double-check the NXLog configuration for any mistakes in the Syslog endpoint address or port.

For further assistance or specific configurations, please contact your service provider's support team.